23 matches found
PT-2025-14841 · Unknown · Expand-Object
Name of the Vulnerable Software and Affected Versions: expand-object versions 0.0.0 and later Description: The issue concerns a Prototype Pollution flaw in the expand function located in index.js. This function is used to expand a given string into an object, but it does not check the provided ke...
CVE-2023-50473
Cross-Site Scripting XSS vulnerability in bill-ahmed qbit-matUI version 1.16.4, allows remote attackers to obtain sensitive information via fixed session identifiers SID in index.js file...
PT-2023-31574 · Unknown · Bill-Ahmed Qbit-Matui
Name of the Vulnerable Software and Affected Versions: bill-ahmed qbit-matUI version 1.16.4 Description: The issue is a Cross-Site Scripting XSS vulnerability that allows remote attackers to obtain sensitive information via fixed session identifiers SID in the index.js file. This vulnerability...
CVE-2023-26106
All versions of the package dot-lens are vulnerable to Prototype Pollution via the set function in index.js file...
CVE-2023-26106
All versions of the package dot-lens are vulnerable to Prototype Pollution via the set function in index.js file...
Design/Logic Flaw
All versions of the package dot-lens are vulnerable to Prototype Pollution via the set function in index.js file...
CVE-2023-26106
All versions of the package dot-lens are vulnerable to Prototype Pollution via the set function in index.js file...
PT-2023-20493 · Dot-Lens · Dot-Lens
Name of the Vulnerable Software and Affected Versions: dot-lens versions all Description: The issue concerns Prototype Pollution via the set function in the index.js file. This affects all versions of the dot-lens package. There is no information provided about the estimated number of potentially...
TinaCMS 日志信息泄露漏洞
TinaCMS is an open source headless CMS for Markdown, MDX and JSON. A log information disclosure vulnerability exists in TinaCMS versions prior to 1.0.9, which stems from sensitive values stored in the process.env variable being added in plaintext to the index.js file...
flat 安全漏洞
flat is a library from Hugh Kennedy's personal developer. It is used to take a nested Javascript object and flatten it, or to unflatten the object using the separator key. A security vulnerability exists in versions prior to flat 5.0.1, which stems from a problem with the unflatten function in th...
npm-help 命令注入漏洞
npm-help is a package from the Chinese playman.me individual developer. A security vulnerability exists in npm-help, which is caused by a command injection attack in the export.latestVersion function in the index.js file...
AZL-44583 CVE-2021-44906 affecting package js-jquery 3.5.0-4
Minimist =1.2.5 is vulnerable to Prototype Pollution via file index.js, function setKey lines 69-95...
GHSA-43F8-2H32-F4CJ Regular Expression Denial of Service in hosted-git-info
The npm package hosted-git-info before 3.0.8 are vulnerable to Regular Expression Denial of Service ReDoS via regular expression shortcutMatch in the fromUrl function in index.js. The affected regular expression exhibits polynomial worst-case time complexity...
DEBIAN-CVE-2021-23362
The package hosted-git-info before 3.0.8 are vulnerable to Regular Expression Denial of Service ReDoS via regular expression shortcutMatch in the fromUrl function in index.js. The affected regular expression exhibits polynomial worst-case time complexity...
Arbitrary Command Injection
kill-process-by-name is vulnerable to arbitrary command injection. The vulnerability exists due to the use of the childprocess exec function without input sanitization in the index.js file...
CVE-2021-23356 Arbitrary Command Injection
This affects all versions of package kill-process-by-name. If attacker-controlled user input is given, it is possible for an attacker to execute arbitrary commands. This is due to use of the childprocess exec function without input sanitization in the index.js file...
CVE-2020-28429 Command Injection
All versions of package geojson2kml are vulnerable to Command Injection via the index.js file. PoC: var a =require"geojson2kml"; a"./","& touch JHU",function...
Command Injection
async-git is vulnerable to command injection. An attacker is able to inject malicious OS command to the system shell via the getter function in the index.js file...
Malicious Package
jquerry is a malicious package. The index.js file downloads and executes a crypto mining script. However, the script is not executed upon installation...
Command Injection
async-git is vulnerable to command injection. An attacker is able to inject malicious OS command to the system shell via the getter function in the index.js file...